@iqauth/sdk 2.7.0 → 2.8.1

package/dist/{index-5KSZEnDe.d.ts → index-Cko-d5po.d.mts}

@@ -2,9 +2,9 @@ import * as csstype from 'csstype';
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import * as React from 'react';
 import { ReactNode } from 'react';
-import { S as SessionManager, a as SessionSnapshot, b as SignInOptions, c as SignOutOptions, A as AccountRegistry, C as CallbackResult, M as MagicLinkRequestInput, P as PasswordlessOptions, L as LinkedIdentity, d as LinkProviderInput } from './signIn-BLFnz8SV.js';
-import { J as JwtClaims, S as SessionUser } from './types-XOV9XPVi.js';
-import { I as IQAuthLocaleBundle, b as IQAuthLocaleOverride, a as IQAuthLocaleKey } from './types-BdQ2lqfT.js';
+import { S as SessionManager, a as SessionSnapshot, b as SignInOptions, c as SignOutOptions, A as AccountRegistry, C as CallbackResult, M as MagicLinkRequestInput, P as PasswordlessOptions, L as LinkedIdentity, d as LinkProviderInput } from './signIn-CReqfXsh.mjs';
+import { J as JwtClaims, S as SessionUser } from './types-Bn8O-OEd.mjs';
+import { I as IQAuthLocaleBundle, b as IQAuthLocaleOverride, a as IQAuthLocaleKey } from './types-DnU2LhXR.mjs';
 
 /**
  * F11 — `appearance.elements`. The keys are the slot names supported by SDK
@@ -360,13 +360,105 @@ interface ProtectProps {
     role?: string | string[];
     /** Required permission/entitlement. Pass an array to mean "any of". */
     permission?: string | string[];
+    /**
+     * Task #194 — Required scope. Matches when the active session's
+     * `scopeContext` claim equals the supplied `{type, id}`. Pass an array
+     * to mean "any of". A tenant-wide session (no `scopeContext`) does NOT
+     * satisfy a scope constraint — wrap such code in a separate `<Protect role>`
+     * gate if you also want to admit tenant-wide admins.
+     */
+    scope?: ScopeRequirement | ScopeRequirement[];
     /** Custom predicate run against `claims`. Truthy result = allowed. */
     condition?: (claims: JwtClaims | null) => boolean;
     /** Rendered when the user is not authorized. Defaults to `null`. */
     fallback?: ReactNode;
     children?: ReactNode;
 }
-declare function Protect({ role, permission, condition, fallback, children }: ProtectProps): React.FunctionComponentElement<{
+/**
+ * Task #197 — Server-authoritative scope pivot, factored out of the
+ * `useMemberships()` hook so it can be unit-tested without rendering React.
+ *
+ * Behavior:
+ *   1. POST `/api/v1/auth/switch-scope` through `manager.fetch()` (which
+ *      attaches the Bearer token + retries once on 401).
+ *   2. On a non-2xx response, throw with the server-provided error message
+ *      so callers can surface it via toast / banner.
+ *   3. On success, adopt the access token the server returned in the JSON
+ *      body via `manager.adoptAccessToken()`. This is the key behavior:
+ *      the new claims (with the pivoted `scopeContext`) take effect in
+ *      memory immediately, without a second `/refresh` round-trip that
+ *      could fail and strand the user on a stale token despite the
+ *      server-side pivot having already succeeded.
+ *   4. Fire-and-forget a `manager.refresh()` so the refresh-cookie session
+ *      stays aligned with the new scope across tabs / future bootstraps.
+ *      We deliberately do NOT await or throw on its failure — the pivot
+ *      already succeeded server-side AND in memory.
+ *   5. Defensive fallback: if the response body omits `accessToken` (older
+ *      server that didn't ship Task #197 yet), fall through to the legacy
+ *      "drive a refresh and throw on failure" path.
+ */
+declare function performScopeSwitch(manager: SessionManager, base: string, target: ScopeRequirement): Promise<void>;
+/**
+ * Task #199 — Server-authoritative tenant pivot, mirror of
+ * `performScopeSwitch`. Modeled to survive a failing refresh leg the
+ * same way: the success response from `POST /api/v1/auth/select-tenant`
+ * carries the freshly-minted access token, we `adoptAccessToken()` it
+ * immediately, and only then fire a fire-and-forget `manager.refresh()`
+ * so the refresh-cookie session stays aligned across tabs / future
+ * bootstraps.
+ *
+ * The endpoint accepts the authenticated tenant-pivot shape (no
+ * `tenantSelectionToken`) when the request carries a valid access
+ * token — `manager.fetch()` attaches it for us.
+ *
+ * Returns a discriminated union:
+ *   - `{ kind: "ok", tenantId }` — pivot completed
+ *   - `{ kind: "mfa_required", tenantId, mfaChallengeToken, availableMethods }`
+ *   - `{ kind: "scope_selection_required", tenantId, scopeSelectionToken, scopes }`
+ *
+ * Throws on non-2xx and on the legacy-server refresh fallback failing.
+ * The MFA and scope-selection branches were previously thrown with a
+ * magic-string `Error("mfa_required: …")` / `Error("scope_selection_required: …")`;
+ * Task #205 moves them to typed results so `<OrganizationSwitcher/>`
+ * and `<OrganizationList/>` can render localized prompts that route
+ * the user to the hosted sign-in to complete the missing step.
+ */
+type TenantSwitchResult = {
+    kind: "ok";
+    tenantId: string;
+} | {
+    kind: "mfa_required";
+    tenantId: string;
+    mfaChallengeToken: string;
+    availableMethods: string[];
+} | {
+    kind: "scope_selection_required";
+    tenantId: string;
+    scopeSelectionToken: string;
+    scopes: Array<Record<string, unknown>>;
+};
+declare function performTenantSwitch(manager: SessionManager, base: string, tenantId: string): Promise<TenantSwitchResult>;
+/** Task #194 — Shape passed to `<Protect scope>` and `useMemberships().switchScope`. */
+interface ScopeRequirement {
+    type: "vendor" | "source" | "client";
+    id: string;
+}
+/**
+ * Task #194 — Pure helper that returns `true` when the supplied claims
+ * carry a `scopeContext` matching ANY of the supplied requirements.
+ * Exported so framework adapters AND tests can verify the matching rule
+ * without rendering React.
+ *
+ * Matching rule:
+ *   - `claims.scopeContext.type === required.type`
+ *   - `claims.scopeContext.id   === required.id`
+ *
+ * A claims object with no `scopeContext` never matches a scope requirement
+ * — tenant-wide admins must be gated separately via `<Protect role>` if you
+ * want them to also see scope-gated UI.
+ */
+declare function claimSatisfiesScope(claims: JwtClaims | null, required: ScopeRequirement | ScopeRequirement[]): boolean;
+declare function Protect({ role, permission, scope, condition, fallback, children }: ProtectProps): React.FunctionComponentElement<{
     children?: ReactNode | undefined;
 }>;
 /**
@@ -547,8 +639,24 @@ interface SignInProps extends Partial<SharedComponentProps> {
      * F10 — Optional. Defaults to `${origin}/api/iqauth/callback` (the path
      * mounted by the framework adapters). Must be in the app's allowed
      * origins.
+     *
+     * NOTE: this is the OIDC `redirect_uri` — i.e. WHERE the authorization
+     * code is delivered (the adapter's callback handler), NOT the page the
+     * user finally lands on. To control the post-login landing page use
+     * {@link afterSignInUrl}.
      */
     returnTo?: string;
+    /**
+     * Where the user should land AFTER login completes (distinct from
+     * {@link returnTo}, which is pinned to the adapter callback). The SDK
+     * persists this in the `iqauth_return_to` cookie before redirecting; the
+     * cookies-only framework adapters' `/api/iqauth/callback` reads it and
+     * 302s there once the code→cookie exchange finishes. When omitted, the
+     * SDK reads `?return_to=` / `?next=` from the current URL; if neither is
+     * present the adapter falls back to `/`. Sanitized against the provider's
+     * `allowedReturnOrigins` (same-origin + allow-list only).
+     */
+    afterSignInUrl?: string;
     /** Called after successful redirect. By default, `window.location.href = url`. */
     onRedirect?: (url: string) => void;
     /** Pass `"login"` to force the form to render even when an SSO session is active. */
@@ -562,6 +670,22 @@ interface SignInProps extends Partial<SharedComponentProps> {
      * continue.
      */
     silentSso?: boolean;
+    /**
+     * Task #171 — Optional deep-link scope hint forwarded to the hosted
+     * `/oidc/sso-login`, `/oidc/sso-tenant-select`, and
+     * `/oidc/sso-scope-select` endpoints. When the user has only source/client
+     * memberships in the resolved tenant AND this hint uniquely matches one
+     * active membership the backend skips the picker and mints a scoped
+     * session straight away. Accepted forms: `{ type: "vendor"|"source"|
+     * "client", id: string }` or the canonical string `"<type>:<id>"`.
+     * When omitted, the SDK also reads `?scope_hint=<type>:<id>` from
+     * `window.location.search` so apps using the standard hosted entry point
+     * inherit deep-link hints for free.
+     */
+    scopeHint?: {
+        type: "vendor" | "source" | "client";
+        id: string;
+    } | string;
 }
 /**
  * Pure render-decision helper. When this returns `true`, `<SignIn/>` MUST
@@ -576,6 +700,19 @@ declare function isSilentSsoEligible(ctx: {
     };
     returnAllowed: boolean;
 } | null | undefined, effectivePrompt: "login" | undefined): boolean;
+/**
+ * Pure resolver for `<SignIn/>`'s post-login landing page. Precedence:
+ * explicit `prop` → `?return_to=` → `?next=` → `/`. The result is passed
+ * through {@link sanitizeReturnTo} so only same-origin or allow-listed
+ * destinations survive (open-redirect safe). Exported so the resolution
+ * order can be unit-tested without a DOM.
+ */
+declare function resolveAfterSignInDestination(args: {
+    prop?: string | null;
+    search?: string;
+    allowedOrigins?: string[];
+    currentOrigin?: string;
+}): string;
 declare function SignIn(props: SignInProps): react_jsx_runtime.JSX.Element;
 interface SignUpProps extends SharedComponentProps {
     returnTo?: string;
@@ -609,6 +746,91 @@ interface OrganizationSwitcherProps {
     className?: string;
 }
 declare function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, appearance: _appearance, className }: OrganizationSwitcherProps): react_jsx_runtime.JSX.Element;
+/** Task #194 — One scoped membership entry (source/client/vendor). */
+interface ScopedMembership {
+    membershipId: string;
+    scopeType: "vendor" | "source" | "client";
+    scopeId: string;
+    scopeName: string;
+    role: string;
+    /** Surfaces inherited grants (e.g. a vendor-wide grant that implicitly covers a source). */
+    grantedVia?: "direct" | "vendor" | "source" | string;
+}
+interface UseMembershipsResult {
+    isLoading: boolean;
+    error: string | null;
+    /** Flattened source/client/vendor memberships in the active tenant. */
+    memberships: ScopedMembership[];
+    /** The scope the active access token is currently minted under (or `null` for tenant-wide). */
+    active: {
+        type: "vendor" | "source" | "client";
+        id: string;
+        role: string;
+        membershipId: string;
+    } | null;
+    /** Re-fetch the membership list (e.g. after an admin grants new access). */
+    refresh: () => Promise<void>;
+    /**
+     * Switch the active scope. Calls `POST /api/v1/auth/switch-scope` then
+     * `manager.refresh()` so the next access token carries the new
+     * `scopeContext`. Throws on HTTP errors so callers can surface a toast.
+     */
+    switchScope: (target: ScopeRequirement) => Promise<void>;
+}
+/**
+ * Task #194 — First-class scoped-memberships hook. Modelled after Clerk's
+ * `useOrganizationList()` but for IQAuth's source/client/vendor scopes.
+ *
+ * - `memberships`: flat list across vendors + sources + clients in the
+ *   currently bound tenant. Fetched once on mount via
+ *   `GET /api/v1/auth/available-scopes`.
+ * - `active`: derived synchronously from `snapshot.user.scopeContext`,
+ *   so it stays in sync with refreshes triggered elsewhere (tab focus,
+ *   cross-tab broadcast).
+ * - `switchScope({type, id})`: server-authoritative scope pivot.
+ *   Returns after `manager.refresh()` resolves so consumers can `await`
+ *   it and assume the new claim is live on the next render.
+ */
+declare function useMemberships(): UseMembershipsResult;
+interface ScopeSwitcherProps {
+    /** Optional callback fired after a successful switch + refresh. */
+    onSwitched?: (target: ScopeRequirement) => void;
+    /** Filter the rendered list. Defaults to all three scope types. */
+    include?: Array<"vendor" | "source" | "client">;
+    className?: string;
+}
+/**
+ * Task #194 — Headless-ish scope picker. Renders the current `active`
+ * scope as a button; expanding it lists every membership returned by
+ * `useMemberships()`. Picking one calls `switchScope()` and (on success)
+ * triggers `onSwitched`. Uses inline styles for the same reason
+ * `<OrganizationSwitcher/>` does: SDK chrome must work in any host app
+ * without requiring a specific CSS framework. Host apps can build their
+ * own UI on top of `useMemberships()` directly when they need full
+ * control.
+ */
+declare function ScopeSwitcher({ onSwitched, include, className }: ScopeSwitcherProps): React.DetailedReactHTMLElement<{
+    className: string | undefined;
+    "data-testid": string;
+    style: {
+        fontSize: number;
+        opacity: number;
+    };
+}, HTMLElement> | React.DetailedReactHTMLElement<{
+    className: string | undefined;
+    "data-testid": string;
+    style: {
+        fontSize: number;
+        color: "#b91c1c";
+    };
+}, HTMLElement> | React.DetailedReactHTMLElement<{
+    className: string | undefined;
+    "data-testid": string;
+    style: {
+        position: "relative";
+        display: "inline-block";
+    };
+}, HTMLElement> | null;
 interface ImpersonationInfo {
     isImpersonating: boolean;
     /** The admin who started the impersonation (from JWT `act` claim). */
@@ -1623,4 +1845,4 @@ interface LinkedAccountsProps extends Partial<PasswordlessOptions> {
 declare function LinkedAccounts({ className, onChange, ...rest }: LinkedAccountsProps): react_jsx_runtime.JSX.Element;
 declare const __version__ = "phase-bc-1.0.0";
 
-export { SignUp as $, type AccountSummary as A, type RedirectToSignedInProps as B, RedirectToSignedIn as C, type UseReturnToOptions as D, useReturnTo as E, type IQAuthReturnToBouncerProps as F, IQAuthReturnToBouncer as G, preflightReturnTo as H, type IQAuthAppearanceElements as I, type AuthCallbackProps as J, AuthCallback as K, type IQAuthBranding as L, MultisessionAppSupport as M, type IQAuthSignInContext as N, type SharedComponentProps as O, type ProtectProps as P, useIQAuthSignInContext as Q, type RedirectToSignInProps as R, type SessionError as S, sanitizeBrandCss as T, type UseUserResult as U, useResolvedSdkBranding as V, type SignInProps as W, isSilentSsoEligible as X, SignIn as Y, type SignUpProps as Z, __useIQAuthInternal as _, type IQAuthAppearance as a, type UserSummary as a0, type UserButtonProps as a1, UserButton as a2, type UserProfileProps as a3, UserProfile as a4, type OrganizationSwitcherProps as a5, OrganizationSwitcher as a6, type ImpersonationInfo as a7, useImpersonation as a8, type ImpersonationBannerProps as a9, ImpersonationBanner as aa, type UseReverificationOptions as ab, useReverification as ac, type CreateOrganizationProps as ad, slugify as ae, CreateOrganization as af, type OrganizationProfileProps as ag, OrganizationProfile as ah, type OrganizationListProps as ai, OrganizationList as aj, type WaitlistProps as ak, Waitlist as al, type UseMagicLinkResult as am, useMagicLink as an, type UsePasskeyResult as ao, usePasskey as ap, type UseLinkedIdentitiesResult as aq, useLinkedIdentities as ar, type MagicLinkSignInFormProps as as, MagicLinkSignInForm as at, type PasskeySignInButtonProps as au, PasskeySignInButton as av, type LinkedAccountsProps as aw, LinkedAccounts as ax, __version__ as ay, type IQAuthProviderProps as b, IQAuthProvider as c, useT as d, useUser as e, type UseSessionResult as f, useSession as g, type UseAuthResult as h, useAuth as i, type UseOrganizationResult as j, useOrganization as k, useAuthFetch as l, type SessionListItem as m, type UseSessionListResult as n, useSessionList as o, useAccountList as p, type UseAccountSwitcherResult as q, revokeSession as r, useAccountSwitcher as s, SignedIn as t, useLocale as u, SignedOut as v, IQAuthLoading as w, IQAuthLoaded as x, RedirectToSignIn as y, Protect as z };
+export { useResolvedSdkBranding as $, type AccountSummary as A, performTenantSwitch as B, type ScopeRequirement as C, claimSatisfiesScope as D, Protect as E, type RedirectToSignedInProps as F, RedirectToSignedIn as G, type UseReturnToOptions as H, type IQAuthAppearanceElements as I, useReturnTo as J, type IQAuthReturnToBouncerProps as K, IQAuthReturnToBouncer as L, MultisessionAppSupport as M, preflightReturnTo as N, type AuthCallbackProps as O, type ProtectProps as P, AuthCallback as Q, type RedirectToSignInProps as R, type SessionError as S, type TenantSwitchResult as T, type UseUserResult as U, type IQAuthBranding as V, type IQAuthSignInContext as W, type SharedComponentProps as X, useIQAuthSignInContext as Y, sanitizeBrandCss as Z, __useIQAuthInternal as _, type IQAuthAppearance as a, type SignInProps as a0, isSilentSsoEligible as a1, resolveAfterSignInDestination as a2, SignIn as a3, type SignUpProps as a4, SignUp as a5, type UserSummary as a6, type UserButtonProps as a7, UserButton as a8, type UserProfileProps as a9, usePasskey as aA, type UseLinkedIdentitiesResult as aB, useLinkedIdentities as aC, type MagicLinkSignInFormProps as aD, MagicLinkSignInForm as aE, type PasskeySignInButtonProps as aF, PasskeySignInButton as aG, type LinkedAccountsProps as aH, LinkedAccounts as aI, __version__ as aJ, UserProfile as aa, type OrganizationSwitcherProps as ab, OrganizationSwitcher as ac, type ScopedMembership as ad, type UseMembershipsResult as ae, useMemberships as af, type ScopeSwitcherProps as ag, ScopeSwitcher as ah, type ImpersonationInfo as ai, useImpersonation as aj, type ImpersonationBannerProps as ak, ImpersonationBanner as al, type UseReverificationOptions as am, useReverification as an, type CreateOrganizationProps as ao, slugify as ap, CreateOrganization as aq, type OrganizationProfileProps as ar, OrganizationProfile as as, type OrganizationListProps as at, OrganizationList as au, type WaitlistProps as av, Waitlist as aw, type UseMagicLinkResult as ax, useMagicLink as ay, type UsePasskeyResult as az, type IQAuthProviderProps as b, IQAuthProvider as c, useT as d, useUser as e, type UseSessionResult as f, useSession as g, type UseAuthResult as h, useAuth as i, type UseOrganizationResult as j, useOrganization as k, useAuthFetch as l, type SessionListItem as m, type UseSessionListResult as n, useSessionList as o, useAccountList as p, type UseAccountSwitcherResult as q, revokeSession as r, useAccountSwitcher as s, SignedIn as t, useLocale as u, SignedOut as v, IQAuthLoading as w, IQAuthLoaded as x, RedirectToSignIn as y, performScopeSwitch as z };

package/dist/{index-CKoZHAoc.d.mts → index-RNqwEcmY.d.ts}

@@ -2,9 +2,9 @@ import * as csstype from 'csstype';
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import * as React from 'react';
 import { ReactNode } from 'react';
-import { S as SessionManager, a as SessionSnapshot, b as SignInOptions, c as SignOutOptions, A as AccountRegistry, C as CallbackResult, M as MagicLinkRequestInput, P as PasswordlessOptions, L as LinkedIdentity, d as LinkProviderInput } from './signIn-T-CZ6t6r.mjs';
-import { J as JwtClaims, S as SessionUser } from './types-XOV9XPVi.mjs';
-import { I as IQAuthLocaleBundle, b as IQAuthLocaleOverride, a as IQAuthLocaleKey } from './types-BdQ2lqfT.mjs';
+import { S as SessionManager, a as SessionSnapshot, b as SignInOptions, c as SignOutOptions, A as AccountRegistry, C as CallbackResult, M as MagicLinkRequestInput, P as PasswordlessOptions, L as LinkedIdentity, d as LinkProviderInput } from './signIn-Cfa1GTpO.js';
+import { J as JwtClaims, S as SessionUser } from './types-Bn8O-OEd.js';
+import { I as IQAuthLocaleBundle, b as IQAuthLocaleOverride, a as IQAuthLocaleKey } from './types-DnU2LhXR.js';
 
 /**
  * F11 — `appearance.elements`. The keys are the slot names supported by SDK
@@ -360,13 +360,105 @@ interface ProtectProps {
     role?: string | string[];
     /** Required permission/entitlement. Pass an array to mean "any of". */
     permission?: string | string[];
+    /**
+     * Task #194 — Required scope. Matches when the active session's
+     * `scopeContext` claim equals the supplied `{type, id}`. Pass an array
+     * to mean "any of". A tenant-wide session (no `scopeContext`) does NOT
+     * satisfy a scope constraint — wrap such code in a separate `<Protect role>`
+     * gate if you also want to admit tenant-wide admins.
+     */
+    scope?: ScopeRequirement | ScopeRequirement[];
     /** Custom predicate run against `claims`. Truthy result = allowed. */
     condition?: (claims: JwtClaims | null) => boolean;
     /** Rendered when the user is not authorized. Defaults to `null`. */
     fallback?: ReactNode;
     children?: ReactNode;
 }
-declare function Protect({ role, permission, condition, fallback, children }: ProtectProps): React.FunctionComponentElement<{
+/**
+ * Task #197 — Server-authoritative scope pivot, factored out of the
+ * `useMemberships()` hook so it can be unit-tested without rendering React.
+ *
+ * Behavior:
+ *   1. POST `/api/v1/auth/switch-scope` through `manager.fetch()` (which
+ *      attaches the Bearer token + retries once on 401).
+ *   2. On a non-2xx response, throw with the server-provided error message
+ *      so callers can surface it via toast / banner.
+ *   3. On success, adopt the access token the server returned in the JSON
+ *      body via `manager.adoptAccessToken()`. This is the key behavior:
+ *      the new claims (with the pivoted `scopeContext`) take effect in
+ *      memory immediately, without a second `/refresh` round-trip that
+ *      could fail and strand the user on a stale token despite the
+ *      server-side pivot having already succeeded.
+ *   4. Fire-and-forget a `manager.refresh()` so the refresh-cookie session
+ *      stays aligned with the new scope across tabs / future bootstraps.
+ *      We deliberately do NOT await or throw on its failure — the pivot
+ *      already succeeded server-side AND in memory.
+ *   5. Defensive fallback: if the response body omits `accessToken` (older
+ *      server that didn't ship Task #197 yet), fall through to the legacy
+ *      "drive a refresh and throw on failure" path.
+ */
+declare function performScopeSwitch(manager: SessionManager, base: string, target: ScopeRequirement): Promise<void>;
+/**
+ * Task #199 — Server-authoritative tenant pivot, mirror of
+ * `performScopeSwitch`. Modeled to survive a failing refresh leg the
+ * same way: the success response from `POST /api/v1/auth/select-tenant`
+ * carries the freshly-minted access token, we `adoptAccessToken()` it
+ * immediately, and only then fire a fire-and-forget `manager.refresh()`
+ * so the refresh-cookie session stays aligned across tabs / future
+ * bootstraps.
+ *
+ * The endpoint accepts the authenticated tenant-pivot shape (no
+ * `tenantSelectionToken`) when the request carries a valid access
+ * token — `manager.fetch()` attaches it for us.
+ *
+ * Returns a discriminated union:
+ *   - `{ kind: "ok", tenantId }` — pivot completed
+ *   - `{ kind: "mfa_required", tenantId, mfaChallengeToken, availableMethods }`
+ *   - `{ kind: "scope_selection_required", tenantId, scopeSelectionToken, scopes }`
+ *
+ * Throws on non-2xx and on the legacy-server refresh fallback failing.
+ * The MFA and scope-selection branches were previously thrown with a
+ * magic-string `Error("mfa_required: …")` / `Error("scope_selection_required: …")`;
+ * Task #205 moves them to typed results so `<OrganizationSwitcher/>`
+ * and `<OrganizationList/>` can render localized prompts that route
+ * the user to the hosted sign-in to complete the missing step.
+ */
+type TenantSwitchResult = {
+    kind: "ok";
+    tenantId: string;
+} | {
+    kind: "mfa_required";
+    tenantId: string;
+    mfaChallengeToken: string;
+    availableMethods: string[];
+} | {
+    kind: "scope_selection_required";
+    tenantId: string;
+    scopeSelectionToken: string;
+    scopes: Array<Record<string, unknown>>;
+};
+declare function performTenantSwitch(manager: SessionManager, base: string, tenantId: string): Promise<TenantSwitchResult>;
+/** Task #194 — Shape passed to `<Protect scope>` and `useMemberships().switchScope`. */
+interface ScopeRequirement {
+    type: "vendor" | "source" | "client";
+    id: string;
+}
+/**
+ * Task #194 — Pure helper that returns `true` when the supplied claims
+ * carry a `scopeContext` matching ANY of the supplied requirements.
+ * Exported so framework adapters AND tests can verify the matching rule
+ * without rendering React.
+ *
+ * Matching rule:
+ *   - `claims.scopeContext.type === required.type`
+ *   - `claims.scopeContext.id   === required.id`
+ *
+ * A claims object with no `scopeContext` never matches a scope requirement
+ * — tenant-wide admins must be gated separately via `<Protect role>` if you
+ * want them to also see scope-gated UI.
+ */
+declare function claimSatisfiesScope(claims: JwtClaims | null, required: ScopeRequirement | ScopeRequirement[]): boolean;
+declare function Protect({ role, permission, scope, condition, fallback, children }: ProtectProps): React.FunctionComponentElement<{
     children?: ReactNode | undefined;
 }>;
 /**
@@ -547,8 +639,24 @@ interface SignInProps extends Partial<SharedComponentProps> {
      * F10 — Optional. Defaults to `${origin}/api/iqauth/callback` (the path
      * mounted by the framework adapters). Must be in the app's allowed
      * origins.
+     *
+     * NOTE: this is the OIDC `redirect_uri` — i.e. WHERE the authorization
+     * code is delivered (the adapter's callback handler), NOT the page the
+     * user finally lands on. To control the post-login landing page use
+     * {@link afterSignInUrl}.
      */
     returnTo?: string;
+    /**
+     * Where the user should land AFTER login completes (distinct from
+     * {@link returnTo}, which is pinned to the adapter callback). The SDK
+     * persists this in the `iqauth_return_to` cookie before redirecting; the
+     * cookies-only framework adapters' `/api/iqauth/callback` reads it and
+     * 302s there once the code→cookie exchange finishes. When omitted, the
+     * SDK reads `?return_to=` / `?next=` from the current URL; if neither is
+     * present the adapter falls back to `/`. Sanitized against the provider's
+     * `allowedReturnOrigins` (same-origin + allow-list only).
+     */
+    afterSignInUrl?: string;
     /** Called after successful redirect. By default, `window.location.href = url`. */
     onRedirect?: (url: string) => void;
     /** Pass `"login"` to force the form to render even when an SSO session is active. */
@@ -562,6 +670,22 @@ interface SignInProps extends Partial<SharedComponentProps> {
      * continue.
      */
     silentSso?: boolean;
+    /**
+     * Task #171 — Optional deep-link scope hint forwarded to the hosted
+     * `/oidc/sso-login`, `/oidc/sso-tenant-select`, and
+     * `/oidc/sso-scope-select` endpoints. When the user has only source/client
+     * memberships in the resolved tenant AND this hint uniquely matches one
+     * active membership the backend skips the picker and mints a scoped
+     * session straight away. Accepted forms: `{ type: "vendor"|"source"|
+     * "client", id: string }` or the canonical string `"<type>:<id>"`.
+     * When omitted, the SDK also reads `?scope_hint=<type>:<id>` from
+     * `window.location.search` so apps using the standard hosted entry point
+     * inherit deep-link hints for free.
+     */
+    scopeHint?: {
+        type: "vendor" | "source" | "client";
+        id: string;
+    } | string;
 }
 /**
  * Pure render-decision helper. When this returns `true`, `<SignIn/>` MUST
@@ -576,6 +700,19 @@ declare function isSilentSsoEligible(ctx: {
     };
     returnAllowed: boolean;
 } | null | undefined, effectivePrompt: "login" | undefined): boolean;
+/**
+ * Pure resolver for `<SignIn/>`'s post-login landing page. Precedence:
+ * explicit `prop` → `?return_to=` → `?next=` → `/`. The result is passed
+ * through {@link sanitizeReturnTo} so only same-origin or allow-listed
+ * destinations survive (open-redirect safe). Exported so the resolution
+ * order can be unit-tested without a DOM.
+ */
+declare function resolveAfterSignInDestination(args: {
+    prop?: string | null;
+    search?: string;
+    allowedOrigins?: string[];
+    currentOrigin?: string;
+}): string;
 declare function SignIn(props: SignInProps): react_jsx_runtime.JSX.Element;
 interface SignUpProps extends SharedComponentProps {
     returnTo?: string;
@@ -609,6 +746,91 @@ interface OrganizationSwitcherProps {
     className?: string;
 }
 declare function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, appearance: _appearance, className }: OrganizationSwitcherProps): react_jsx_runtime.JSX.Element;
+/** Task #194 — One scoped membership entry (source/client/vendor). */
+interface ScopedMembership {
+    membershipId: string;
+    scopeType: "vendor" | "source" | "client";
+    scopeId: string;
+    scopeName: string;
+    role: string;
+    /** Surfaces inherited grants (e.g. a vendor-wide grant that implicitly covers a source). */
+    grantedVia?: "direct" | "vendor" | "source" | string;
+}
+interface UseMembershipsResult {
+    isLoading: boolean;
+    error: string | null;
+    /** Flattened source/client/vendor memberships in the active tenant. */
+    memberships: ScopedMembership[];
+    /** The scope the active access token is currently minted under (or `null` for tenant-wide). */
+    active: {
+        type: "vendor" | "source" | "client";
+        id: string;
+        role: string;
+        membershipId: string;
+    } | null;
+    /** Re-fetch the membership list (e.g. after an admin grants new access). */
+    refresh: () => Promise<void>;
+    /**
+     * Switch the active scope. Calls `POST /api/v1/auth/switch-scope` then
+     * `manager.refresh()` so the next access token carries the new
+     * `scopeContext`. Throws on HTTP errors so callers can surface a toast.
+     */
+    switchScope: (target: ScopeRequirement) => Promise<void>;
+}
+/**
+ * Task #194 — First-class scoped-memberships hook. Modelled after Clerk's
+ * `useOrganizationList()` but for IQAuth's source/client/vendor scopes.
+ *
+ * - `memberships`: flat list across vendors + sources + clients in the
+ *   currently bound tenant. Fetched once on mount via
+ *   `GET /api/v1/auth/available-scopes`.
+ * - `active`: derived synchronously from `snapshot.user.scopeContext`,
+ *   so it stays in sync with refreshes triggered elsewhere (tab focus,
+ *   cross-tab broadcast).
+ * - `switchScope({type, id})`: server-authoritative scope pivot.
+ *   Returns after `manager.refresh()` resolves so consumers can `await`
+ *   it and assume the new claim is live on the next render.
+ */
+declare function useMemberships(): UseMembershipsResult;
+interface ScopeSwitcherProps {
+    /** Optional callback fired after a successful switch + refresh. */
+    onSwitched?: (target: ScopeRequirement) => void;
+    /** Filter the rendered list. Defaults to all three scope types. */
+    include?: Array<"vendor" | "source" | "client">;
+    className?: string;
+}
+/**
+ * Task #194 — Headless-ish scope picker. Renders the current `active`
+ * scope as a button; expanding it lists every membership returned by
+ * `useMemberships()`. Picking one calls `switchScope()` and (on success)
+ * triggers `onSwitched`. Uses inline styles for the same reason
+ * `<OrganizationSwitcher/>` does: SDK chrome must work in any host app
+ * without requiring a specific CSS framework. Host apps can build their
+ * own UI on top of `useMemberships()` directly when they need full
+ * control.
+ */
+declare function ScopeSwitcher({ onSwitched, include, className }: ScopeSwitcherProps): React.DetailedReactHTMLElement<{
+    className: string | undefined;
+    "data-testid": string;
+    style: {
+        fontSize: number;
+        opacity: number;
+    };
+}, HTMLElement> | React.DetailedReactHTMLElement<{
+    className: string | undefined;
+    "data-testid": string;
+    style: {
+        fontSize: number;
+        color: "#b91c1c";
+    };
+}, HTMLElement> | React.DetailedReactHTMLElement<{
+    className: string | undefined;
+    "data-testid": string;
+    style: {
+        position: "relative";
+        display: "inline-block";
+    };
+}, HTMLElement> | null;
 interface ImpersonationInfo {
     isImpersonating: boolean;
     /** The admin who started the impersonation (from JWT `act` claim). */
@@ -1623,4 +1845,4 @@ interface LinkedAccountsProps extends Partial<PasswordlessOptions> {
 declare function LinkedAccounts({ className, onChange, ...rest }: LinkedAccountsProps): react_jsx_runtime.JSX.Element;
 declare const __version__ = "phase-bc-1.0.0";
 
-export { SignUp as $, type AccountSummary as A, type RedirectToSignedInProps as B, RedirectToSignedIn as C, type UseReturnToOptions as D, useReturnTo as E, type IQAuthReturnToBouncerProps as F, IQAuthReturnToBouncer as G, preflightReturnTo as H, type IQAuthAppearanceElements as I, type AuthCallbackProps as J, AuthCallback as K, type IQAuthBranding as L, MultisessionAppSupport as M, type IQAuthSignInContext as N, type SharedComponentProps as O, type ProtectProps as P, useIQAuthSignInContext as Q, type RedirectToSignInProps as R, type SessionError as S, sanitizeBrandCss as T, type UseUserResult as U, useResolvedSdkBranding as V, type SignInProps as W, isSilentSsoEligible as X, SignIn as Y, type SignUpProps as Z, __useIQAuthInternal as _, type IQAuthAppearance as a, type UserSummary as a0, type UserButtonProps as a1, UserButton as a2, type UserProfileProps as a3, UserProfile as a4, type OrganizationSwitcherProps as a5, OrganizationSwitcher as a6, type ImpersonationInfo as a7, useImpersonation as a8, type ImpersonationBannerProps as a9, ImpersonationBanner as aa, type UseReverificationOptions as ab, useReverification as ac, type CreateOrganizationProps as ad, slugify as ae, CreateOrganization as af, type OrganizationProfileProps as ag, OrganizationProfile as ah, type OrganizationListProps as ai, OrganizationList as aj, type WaitlistProps as ak, Waitlist as al, type UseMagicLinkResult as am, useMagicLink as an, type UsePasskeyResult as ao, usePasskey as ap, type UseLinkedIdentitiesResult as aq, useLinkedIdentities as ar, type MagicLinkSignInFormProps as as, MagicLinkSignInForm as at, type PasskeySignInButtonProps as au, PasskeySignInButton as av, type LinkedAccountsProps as aw, LinkedAccounts as ax, __version__ as ay, type IQAuthProviderProps as b, IQAuthProvider as c, useT as d, useUser as e, type UseSessionResult as f, useSession as g, type UseAuthResult as h, useAuth as i, type UseOrganizationResult as j, useOrganization as k, useAuthFetch as l, type SessionListItem as m, type UseSessionListResult as n, useSessionList as o, useAccountList as p, type UseAccountSwitcherResult as q, revokeSession as r, useAccountSwitcher as s, SignedIn as t, useLocale as u, SignedOut as v, IQAuthLoading as w, IQAuthLoaded as x, RedirectToSignIn as y, Protect as z };
+export { useResolvedSdkBranding as $, type AccountSummary as A, performTenantSwitch as B, type ScopeRequirement as C, claimSatisfiesScope as D, Protect as E, type RedirectToSignedInProps as F, RedirectToSignedIn as G, type UseReturnToOptions as H, type IQAuthAppearanceElements as I, useReturnTo as J, type IQAuthReturnToBouncerProps as K, IQAuthReturnToBouncer as L, MultisessionAppSupport as M, preflightReturnTo as N, type AuthCallbackProps as O, type ProtectProps as P, AuthCallback as Q, type RedirectToSignInProps as R, type SessionError as S, type TenantSwitchResult as T, type UseUserResult as U, type IQAuthBranding as V, type IQAuthSignInContext as W, type SharedComponentProps as X, useIQAuthSignInContext as Y, sanitizeBrandCss as Z, __useIQAuthInternal as _, type IQAuthAppearance as a, type SignInProps as a0, isSilentSsoEligible as a1, resolveAfterSignInDestination as a2, SignIn as a3, type SignUpProps as a4, SignUp as a5, type UserSummary as a6, type UserButtonProps as a7, UserButton as a8, type UserProfileProps as a9, usePasskey as aA, type UseLinkedIdentitiesResult as aB, useLinkedIdentities as aC, type MagicLinkSignInFormProps as aD, MagicLinkSignInForm as aE, type PasskeySignInButtonProps as aF, PasskeySignInButton as aG, type LinkedAccountsProps as aH, LinkedAccounts as aI, __version__ as aJ, UserProfile as aa, type OrganizationSwitcherProps as ab, OrganizationSwitcher as ac, type ScopedMembership as ad, type UseMembershipsResult as ae, useMemberships as af, type ScopeSwitcherProps as ag, ScopeSwitcher as ah, type ImpersonationInfo as ai, useImpersonation as aj, type ImpersonationBannerProps as ak, ImpersonationBanner as al, type UseReverificationOptions as am, useReverification as an, type CreateOrganizationProps as ao, slugify as ap, CreateOrganization as aq, type OrganizationProfileProps as ar, OrganizationProfile as as, type OrganizationListProps as at, OrganizationList as au, type WaitlistProps as av, Waitlist as aw, type UseMagicLinkResult as ax, useMagicLink as ay, type UsePasskeyResult as az, type IQAuthProviderProps as b, IQAuthProvider as c, useT as d, useUser as e, type UseSessionResult as f, useSession as g, type UseAuthResult as h, useAuth as i, type UseOrganizationResult as j, useOrganization as k, useAuthFetch as l, type SessionListItem as m, type UseSessionListResult as n, useSessionList as o, useAccountList as p, type UseAccountSwitcherResult as q, revokeSession as r, useAccountSwitcher as s, SignedIn as t, useLocale as u, SignedOut as v, IQAuthLoading as w, IQAuthLoaded as x, RedirectToSignIn as y, performScopeSwitch as z };

package/dist/index.d.mts

@@ -1,14 +1,14 @@
-export { j as ApiKeysModule, g as AppsModule, A as AuthModule, B as BrandingModule, m as ClientsModule, C as CreateAppRequest, h as CreateAppResponse, E as EntitlementsModule, G as GdprModule, H as HierarchyModule, I as IQAuthClient, a as InMemoryOidcStateStore, k as InvitesModule, M as MembershipsModule, p as MfaModule, d as OidcAuthRequest, e as OidcCallbackResult, O as OidcModule, f as OidcModuleOptions, b as OidcStateStore, c as OidcStoredRequest, i as PermissionGroupsModule, P as PermissionsModule, o as PinModule, R as RolesModule, n as ScopeModule, S as SessionsModule, l as SourcesModule, T as TenantsModule, U as UsersModule, V as VendorsModule, W as WebhooksModule } from './client-BGFnBpfc.mjs';
+export { j as ApiKeysModule, g as AppsModule, A as AuthModule, B as BrandingModule, m as ClientsModule, C as CreateAppRequest, h as CreateAppResponse, E as EntitlementsModule, G as GdprModule, H as HierarchyModule, I as IQAuthClient, a as InMemoryOidcStateStore, k as InvitesModule, M as MembershipsModule, p as MfaModule, d as OidcAuthRequest, e as OidcCallbackResult, O as OidcModule, f as OidcModuleOptions, b as OidcStateStore, c as OidcStoredRequest, i as PermissionGroupsModule, P as PermissionsModule, o as PinModule, R as RolesModule, n as ScopeModule, S as SessionsModule, l as SourcesModule, T as TenantsModule, U as UsersModule, V as VendorsModule, W as WebhooksModule } from './client-D8L-PaWr.mjs';
 export { b as ErrorCode, E as ErrorCodes, I as IQAuthError, c as IQAuthErrorCode, a as IQ_AUTH_ERROR_CODES } from './errors-Jl1Jtm-6.mjs';
-export { i as iqAuthMiddleware } from './express-CVNQEkOr.mjs';
-export { b as DEFAULT_CLOCK_TOLERANCE_SECONDS, a as DEFAULT_TOKEN_AUDIENCE, D as DEFAULT_TOKEN_ISSUER, c as TokenVerifyOptions, T as TokensModule, d as TokensModuleOptions } from './tokens-CITeoG6P.mjs';
+export { i as iqAuthMiddleware } from './express-DDTA3qV1.mjs';
+export { b as DEFAULT_CLOCK_TOLERANCE_SECONDS, a as DEFAULT_TOKEN_AUDIENCE, D as DEFAULT_TOKEN_ISSUER, c as TokenVerifyOptions, T as TokensModule, d as TokensModuleOptions } from './tokens-B06VtvUi.mjs';
 export { K as KeyMode, c as ParsedPublishableKey, P as PublishableKeyPayload, a as assertPublishableKey, e as encodePublishableKey, i as isPublishableKey, b as isSecretKey, p as parsePublishableKey } from './publishableKey-f2kq-rKw.mjs';
 export { UserinfoResponse, buildUserinfoResponse, handleUserinfo } from './server/handlers.mjs';
 export { VerifyWsUpgradeOptions, VerifyWsUpgradeResult, WsUpgradeRequestLike, verifyWsUpgrade } from './ws.mjs';
 export { CreateTestIssuerOptions, MintAuthCodeOptions, MintTokenOptions, TestIssuer, createTestIssuer } from './test.mjs';
-export { ap as AcceptInviteRequest, ac as AddGroupPermissionRequest, af as AddUserOverrideRequest, D as ApiErrorResponse, ai as ApiKeyInfo, al as ApiKeyIntrospection, E as ApiResponse, A as ApiSuccessResponse, a0 as AppInfo, $ as AppManifest, a2 as AppSyncResult, a6 as AssignRoleRequest, aO as AvailableScopesTree, b0 as BackupCodeCountResult, a$ as BackupCodesResult, u as BrandingAsset, B as BrandingConfig, w as BrandingDomainMapping, aD as Client, aj as CreateApiKeyRequest, ak as CreateApiKeyResult, aE as CreateClientRequest, an as CreateInviteRequest, aL as CreateMembershipRequest, a4 as CreateRoleRequest, aB as CreateSourceRequest, C as CreateTenantRequest, ay as CreateVendorRequest, ar as CreateWebhookRequest, as as CreateWebhookResult, ag as EffectivePermission, a_ as EmailEnrollResult, av as Entitlement, X as ExpressMiddlewareOptions, aT as GdprExportData, aw as GrantEntitlementRequest, ab as GroupPermission, aI as HierarchyClient, aJ as HierarchyLink, aH as HierarchySource, aG as HierarchyVendor, i as IQAuthBaseClaims, I as IQAuthBrowserSessionClientConfig, h as IQAuthClaims, e as IQAuthClientConfig, d as IQAuthEnvironment, c as IQAuthNextFunction, a as IQAuthRequestLike, b as IQAuthResponseLike, Y as IQAuthRetryConfig, f as IQAuthTokenClientConfig, Z as IQAuthVerifyConfig, ad as InheritanceRelation, am as Invitation, q as InviteTenantUserRequest, r as InviteTenantUserResult, ao as InviteValidation, x as JwksKey, y as JwksResponse, J as JwtClaims, L as LoginResult, aK as Membership, aN as MembershipWithDetails, aW as MfaAvailableMethods, G as MfaEnrollment, F as MfaMethod, Q as MfaPolicy, K as MfaVerifyResult, M as MigrateUserRequest, O as OidcDiscovery, z as OidcTokenResponse, N as PasswordPolicy, ah as PermissionCheckResult, aa as PermissionGroup, a1 as PermissionNodeInfo, _ as PermissionNodeManifest, aV as PinLoginResult, aU as PinStatus, P as PromoteToVendorRequest, p as PromoteToVendorResult, V as ProvisionUserRequest, W as ProvisionUserResponse, a3 as Role, g as ScopeContext, aS as ScopeSwitchResult, aP as ScopeTreeClient, aQ as ScopeTreeSource, aR as ScopeTreeVendor, m as Session, l as SessionAuthenticatedLoginResult, S as SessionUser, aZ as SmsEnrollResult, aA as Source, j as Tenant, n as TenantInfo, a9 as TenantUser, s as TenantUserRoleUpdate, k as TokenAuthenticatedLoginResult, T as TokenPair, aX as TotpEnrollResult, H as TotpEnrollmentResult, aY as TotpVerifyResult, t as UpdateBrandingRequest, aF as UpdateClientRequest, aM as UpdateMembershipRequest, a5 as UpdateRoleRequest, aC as UpdateSourceRequest, o as UpdateTenantRequest, az as UpdateVendorRequest, v as UploadAssetRequest, a8 as UserGroupAssignment, ae as UserPermissionOverride, R as UserPermissions, U as UserProfile, a7 as UserRoleAssignment, ax as Vendor, at as WebhookDelivery, aq as WebhookEndpoint, au as WebhookTestResult } from './types-XOV9XPVi.mjs';
+export { ap as AcceptInviteRequest, ac as AddGroupPermissionRequest, af as AddUserOverrideRequest, D as ApiErrorResponse, ai as ApiKeyInfo, al as ApiKeyIntrospection, E as ApiResponse, A as ApiSuccessResponse, a0 as AppInfo, $ as AppManifest, a2 as AppSyncResult, a6 as AssignRoleRequest, aO as AvailableScopesTree, b0 as BackupCodeCountResult, a$ as BackupCodesResult, u as BrandingAsset, B as BrandingConfig, w as BrandingDomainMapping, aD as Client, aj as CreateApiKeyRequest, ak as CreateApiKeyResult, aE as CreateClientRequest, an as CreateInviteRequest, aL as CreateMembershipRequest, a4 as CreateRoleRequest, aB as CreateSourceRequest, C as CreateTenantRequest, ay as CreateVendorRequest, ar as CreateWebhookRequest, as as CreateWebhookResult, ag as EffectivePermission, a_ as EmailEnrollResult, av as Entitlement, X as ExpressMiddlewareOptions, aT as GdprExportData, aw as GrantEntitlementRequest, ab as GroupPermission, aI as HierarchyClient, aJ as HierarchyLink, aH as HierarchySource, aG as HierarchyVendor, i as IQAuthBaseClaims, I as IQAuthBrowserSessionClientConfig, h as IQAuthClaims, e as IQAuthClientConfig, d as IQAuthEnvironment, c as IQAuthNextFunction, a as IQAuthRequestLike, b as IQAuthResponseLike, Y as IQAuthRetryConfig, f as IQAuthTokenClientConfig, Z as IQAuthVerifyConfig, ad as InheritanceRelation, am as Invitation, q as InviteTenantUserRequest, r as InviteTenantUserResult, ao as InviteValidation, x as JwksKey, y as JwksResponse, J as JwtClaims, L as LoginResult, aK as Membership, aN as MembershipWithDetails, aW as MfaAvailableMethods, G as MfaEnrollment, F as MfaMethod, Q as MfaPolicy, K as MfaVerifyResult, M as MigrateUserRequest, O as OidcDiscovery, z as OidcTokenResponse, N as PasswordPolicy, ah as PermissionCheckResult, aa as PermissionGroup, a1 as PermissionNodeInfo, _ as PermissionNodeManifest, aV as PinLoginResult, aU as PinStatus, P as PromoteToVendorRequest, p as PromoteToVendorResult, V as ProvisionUserRequest, W as ProvisionUserResponse, a3 as Role, g as ScopeContext, aS as ScopeSwitchResult, aP as ScopeTreeClient, aQ as ScopeTreeSource, aR as ScopeTreeVendor, m as Session, l as SessionAuthenticatedLoginResult, S as SessionUser, aZ as SmsEnrollResult, aA as Source, j as Tenant, n as TenantInfo, a9 as TenantUser, s as TenantUserRoleUpdate, k as TokenAuthenticatedLoginResult, T as TokenPair, aX as TotpEnrollResult, H as TotpEnrollmentResult, aY as TotpVerifyResult, t as UpdateBrandingRequest, aF as UpdateClientRequest, aM as UpdateMembershipRequest, a5 as UpdateRoleRequest, aC as UpdateSourceRequest, o as UpdateTenantRequest, az as UpdateVendorRequest, v as UploadAssetRequest, a8 as UserGroupAssignment, ae as UserPermissionOverride, R as UserPermissions, U as UserProfile, a7 as UserRoleAssignment, ax as Vendor, at as WebhookDelivery, aq as WebhookEndpoint, au as WebhookTestResult } from './types-Bn8O-OEd.mjs';
 export { IQAUTH_SIGNATURE_HEADER, IQAuthEvent, IQAuthWebhookEvent, LEGACY_SIGNATURE_HEADERS, ParseWebhookEventOptions, VerifyWebhookOptions, WebhookSignatureError, isValidWebhookSignature, parseWebhookEvent, verifyWebhookSignature } from './webhooks.mjs';
-export { P as ProvisioningBridge, a as ProvisioningBridgeOptions, d as ProvisioningContext, b as ProvisioningStorage, c as createProvisioningBridge } from './provisioningBridge-M5G47LWO.mjs';
+export { P as ProvisioningBridge, a as ProvisioningBridgeOptions, d as ProvisioningContext, b as ProvisioningStorage, c as createProvisioningBridge } from './provisioningBridge-IEycmsgb.mjs';
 
 /**
  * Shared wildcard permission utilities.